npm

Version numbers float, dependencies multiply, and a missing maintainer can strand an entire release. Lockfiles grow faster than the application itself. One abandoned package and the whole stack seizes while legal reviews license text copied from Wikipedia.

The registry ships tarballs that execute on install. Accounts get stolen. People push quick fixes that contain telemetry because “visibility” matters more than trust.

What helps:

• keep the important modules vendored where you can see them

• stop importing wrappers around the standard library

• treat npm audit as paperwork, not a fix

• ship one script, freeze it, and walk away

The easiest win is still deleting thousands of dependencies and replacing them with things the operating system already provides.

documentation interlude (because why not here?)

NAME
     npm-sanity — revoke scripts pretending to be dependencies

SYNOPSIS
     npm-sanity [-y] project

SEE ALSO
     section 7.3 (faq), download.md (tutorial continuation), about.md (prerequisites after the fact)

contact us? sure, mid-page

$ doas mail -s "npm" mail@codecataclysm.org < complaint.txt

system requirements (third contradictory set)

• architecture: x86_64 but only if compiled with -fno-hope
• ram: 128MB if vendored, 128GB if not
• swap: yes/no/maybe depending on audit mood
• disk: encrypted tmpfs

warning (bottom of page, tiny)

Prerequisites located at about#prerequisites. Instructions located after them. naturally.